The European Union recently
released draft legislation that has the potential to transform EU data privacy
law. The draft General Data Protection Regulation (“draft Regulation”) proposes
a range of new individual rights designed to protect consumers whose personal
information is collected, processed, and stored by corporations and other
entities.1Most
notably, the draft Regulation would establish a consumer’s “right to be
forgotten,”2
mandating that entities that collect or process data—which, for ease, I will
call “data users”3—must
delete any data relating to an individual “data subject”4 upon
his request. Furthermore, any third parties with whom this information has been
shared would also generally be required to respect the data subject’s request
for deletion.5

The draft Regulation, which
was approved by the European Commission in January 2012, is unlikely to be
finalized and enter into force for at least another several months.6 But the legislation
has already proven highly controversial for its potential applicability to any
corporation that processes the personal data of EU citizens (including U.S.
corporations),7 for
its potential effects on free speech rights8 and
criminal investigations,9 for
its alleged technological infeasibility,10 and
for the possibility that it may impede bilateral policymaking efforts between
the United States and the European Union.11

A yet unexplored dimension of
the draft Regulation, however, is its relationship to broader questions about
what rights-and-remedies scheme is most appropriate for protecting consumer
privacy in data collection. Though the Regulation is framed in the fundamental-human-rights
terms typical of European privacy law, this Comment argues that it can also be
conceived of in property-rights terms. The Regulation takes the unprecedented
step of, in effect, creating a property regime in personal data, under which
the property entitlement belongs to the data subject and is partially
alienable. More specifically, the data protection plan takes for granted that
personal data has become akin to a commodity capable of changing hands; working
off of this reality, it allows for the highly regulated exchange of data while
also adapting rights and remedies commonly associated with property in service
of the goal of protecting consumer privacy. The Regulation’s use of
property-derived rights is particularly unusual and significant since a
human-rights-based approach to privacy—which the EU generally embraces—is often
thought of as incompatible with a property-rights-based approach.12

The EU’s proposal includes
three elements in particular that lend themselves to a property-based conception:
consumers are granted clear entitlements to their own data; the data, even
after it is transferred, carries a burden that “runs with” it and binds third
parties; and consumers are protected through remedies grounded in “property
rules.” In these respects, the proposed scheme is remarkably similar to
existing, heretofore purely theoretical, proposals for property regimes for
protecting personal data, especially the model proposed by Paul Schwartz in
2004.13
But the draft Regulation seems to be one of the first legislative proposals
that would actually implement this kind of propertized
personal data regime.

This Comment proceeds in two
Parts. Part I outlines some theoretical proposals for propertized
personal information designed to remedy the shortcomings of contemporary data
protection law, exploring the features of “property” that scholars have seized
on in presenting these proposals. Part II argues that these property-oriented
safeguards are present in the draft Regulation, even though the Regulation is
not at all framed in property terms. The Conclusion briefly explores the
implications of this analysis for the broader question of whether propertizing personal data can be reconciled with treating
privacy as a human right, pointing out that the draft Regulation seems to transcend this debate by adapting the rights and remedies
commonly associated with property in service of a human-rights-driven approach
to privacy.

I. data privacy and property

Both the United States and the
European Union provide some privacy protections for consumers during data
collection, but neither has established a property scheme to this effect.
Neither U.S. law nor EU law considers data subjects to have proprietary
interests in their own personal information.14 Both instead provide consumers with
some limited options to sue for damages when their privacy is compromised in
the course of data processing. These “liability rule”15 protections are based in the common
law of tort or contract (in the United States),16
subject-specific statutes (also in the United States),17 or omnibus privacy legislation (in
Europe).18

But despite the fact that data
privacy is still protected through liability rules, the corporations that
process personal data increasingly treat it as a commodity. Corporations
collect this information from consumers (often as a quid pro quo during the
sale of goods or services), compile it, and often sell these collections to
other corporations.19 Even U.S. courts have occasionally
recognized data as a kind of property, but
only after it has been collected by a corporation.20

In reaction to this trend,
scholars, especially in the early 2000s, began exploring alternative data
privacy protection schemes derived from property law and theory. Lawrence Lessig is one of the best-known proponents of creating a
free market in personal data. Under Lessig’s
proposal, consumers would hold the original property entitlements to their own
personal information and would be able to bargain with data users to determine
when it would be advantageous to forfeit their privacy by selling their data.21 Critics of this
proposal highlight the dangers of allowing consumers to freely sell their
private information, pointing especially to the potential information
disparities in a personal data market. Under an unregulated market system,
consumers could be convinced to sell their information without completely
understanding the full scope of how corporations might use it, or the degree to
which their privacy would be compromised by the transaction.22

In response to these concerns,
scholars including Paul Schwartz, Edward Janger, and
Vera Bergelson have proposed highly regulated
property regimes that would carry some property-oriented rights and remedies
but not others. Schwartz’s proposal is the best known—indeed, it was recently
endorsed by Timothy D. Sparapani, the former Public
Policy Director of Facebook23—and
will be the primary focus of this Comment.

“Property” is a notoriously
nebulous concept, and Schwartz (as well as other theorists of data property)
has declined to adopt a cohesive definition, understanding “property as a
bundle of interests rather than despotic dominion over a thing.”24 Proponents of a
regulated data property regime all focus on the ways that personal information
is already treated as a commodity by corporations and argue that protecting
such data with a legally cognizable property entitlement, vested in data
subjects and regulated in various ways, provides necessary protections that are
absent in the status quo.25
Rather than arguing that the free market can do all the work of protecting
privacy, as Lessig does, they instead seize on some
of the other rights and remedies commonly associated with property regimes and
explore how conceiving of data as property for certain purposes might in fact
offer the best option for protecting consumer privacy while still enabling
individuals to share their data with data users under certain circumstances.
For example, Schwartz especially seizes on one of the features commonly
associated with property regimes: under some property schemes, “the burden of a
property right ‘runs with the asset’” in question.26 This feature allows for property
rights to create burdens that bind third parties—third parties with whom I have
no explicit legal relationship nonetheless have a duty to respect my property
rights in an asset—in contrast to contract rights, which bind only the specific
parties in privity.27 This
is particularly important in the context of data privacy, because it allows a
data subject to retain some rights in her data, even in transactions between
data users to which the subject is not a party.

Schwartz uses this definition
to argue that crafting a regime in which consumers have legally enforceable
property interests in their data would “enable[]
certain interests to be ‘built in’” to personal data.28 Such a regime would “allow[]
individuals to share, as well as to place limitations on, the future use of
their personal information” and is property-like in that data subjects’
interests “follow the personal information through downstream transfers and
thus limit the potential third-party interest in it.”29 Schwartz’s model, in this respect,
is predicated on the assumption that free alienability is not “an inexorable
aspect of information-property.”30
Indeed, Schwartz argues that a propertized data
scheme, even while treating data as a commodity for certain purposes, should
place limits on a consumer’s right to fully sell her personal information on an
open market.31

In practicable terms, Schwartz
advocates for several requirements in a hypothetical propertized
personal data scheme, two of which are most clearly tied to the unique benefits
of propertization.32
First, such a scheme would clearly vest the original entitlement to personal
information with the data subject. Schwartz frames this requirement as a
default rule requiring consumers to “opt in” to any use of their information.33 Even after opting
in, consumers would always maintain a “right of exit” from existing agreements
to data processing, to “prevent[] initial bad bargains
from having long-term consequences.”34 In this respect, an individual would
only ever partially (and temporarily) forfeit her right to exclude others from
the data, similar to a licensing scheme.35 Second, such a scheme would also
give consumers rights enforceable against third parties and the burden of these
rights would run with their data. Further transfers of the data would be
subject to “use-transfer” restrictions: consumers could agree to initial use of
their data by a private entity, but “block further transfer or use” by other
entities who might gain access to the data through downstream transactions.36

Other advocates of propertizing data, including Janger
and Bergelson, devote significant attention to a
third feature common to property regimes: remedy. As discussed above, under
current law, data privacy is generally only protected by liability rules. A
defendant may be ordered to pay damages, but remedies commonly used to protect
property interests, such as injunctions or punitive damages,37 are generally not available. As Janger notes, under a data property regime, a data
subject’s rights would be protected by property rules, rather than liability
rules. A data user may not simply “choose to violate” a data subject’s interest
in her own personal information and pay appropriate damages; rather, “[p]ropertization changes the order of this interaction. Either
through criminal sanction, affirmative judicial order, or prohibitively high
(and/or punitive) fines, a property rule makes a non-consensual taking
infeasible.”38

The next Part demonstrates
that even though the draft Regulation is not presented as explicitly
establishing property-like protections for personal data, these three
features—default entitlements, burdens that run with the data, and
property-rule-based remedies—are all present in the Regulation’s
rights-and-remedies scheme. The Conclusion then explains the significance of
this finding for broader debates about whether a human-rights-driven approach
to privacy can be reconciled with treating personal data as property.

II. the
draft regulation as a property regime

The EU draft Regulation,39 if adopted, would
modify current European data protection law significantly.40 Most
importantly, the legislation would establish new individual data privacy rights
including a “[r]ight to be forgotten.”41These
provisions are self-consciously framed as stemming from the human right to
privacy enshrined in documents like the European Convention on Human Rights and
the Charter of Fundamental Rights of the European Union.42 Viviane Reding, the Vice
President of the European Commission, has explained that “[p]ersonal data protection is a fundamental right for all
Europeans” and that the draft Regulation was crafted with this
human-rights-oriented approach in mind.43

But despite the fact that the
draft Regulation is grounded in human rights rhetoric and employs no property
terminology, its protections nonetheless function remarkably like the regulated
property schemes described in the last Part. While the right to be forgotten
and the Regulation’s other consumer-protection rights are not themselves
“property rights” enforceable against third parties, they stand for a set of
interests in, and burdens placed on, consumer data that can be best understood
in property terms. The remainder of this Part demonstrates how the draft
Regulation creates a scheme that adopts three of the principal features of propertized personal information described by Schwartz and
others: (1) default data subject entitlements that are only partially
alienable; (2) burdens that run with the asset and bind third parties; and (3)
property-rule-based remedies.

A. Data Subjects Maintain Default Entitlements
to Their Own Personal Information that Are Only Partially Alienable

The various requirements
imposed on data users by the draft Regulation are all predicated on the notion
that the data subject maintains the default entitlement to her personal
information. Article 6 outlines a limited set of circumstances in which the
collection and processing of data is lawful, the clearest of which is explicit
“consent” by the data subject. Under this framework, a data subject must
explicitly opt in to granting a data user access to her information in order
for future processing to be lawful.44

Article 6 also lists specific
(though seemingly rare) circumstances where no explicit consent has been
proffered but the data user has some obligation that necessitates the data processing.
For example, if “processing is necessary for the performance of a contract to
which the data subject is party,” it is lawful even without the explicit
consent of the data subject.45
However, even in these special situations where the data subject has not
explicitly consented to processing, she must still be explicitly informed that her data has been
collected and that she maintains the prerogative to end any data processing by
requesting that her data be erased from the databases in which it is currently
being held.46

The data subject may exercise
a right of exit—namely, her “right to erasure” (or “right to be forgotten”)—at
any time, with restrictions based on the original grounds under which the data
was collected. For example, if the data processing was originally lawful only
because the data subject had expressly consented—the most likely scenario—the
data subject may withdraw that consent and demand erasure at any time.47 But if the
processing was based on one of the circumstances in which explicit consent is
not necessary (for example, the “processing is necessary for the performance of
a task carried out in the public interest”48),
the data subject may still object to the processing.49
Unless the data user can demonstrate “compelling legitimate grounds for the
processing,” the data user must also erase this data.50

In this respect, the draft
Regulation is predicated on the assumption that although data is a kind of
commodity capable of changing hands, the data subject always retains the
ultimate entitlement to this property. A data user may essentially receive a
“license” to use the subject’s data,51
since the data subject has temporarily
waived her right to exclude it from using her information. But the data subject
maintains the discretion to terminate this license and force the data user to
cease storing or using her information.

The draft Regulation arguably
goes a step beyond most real and intellectual property schemes in that it
establishes that individuals always
maintain the ultimate entitlement to their own personal data and may not
forfeit their rights through contract. Like in Schwartz’s proposed model,
individuals may never completely sell or forfeit their right to block use of
their personal information.52 In
this respect, the draft Regulation’s scheme is similar to a more unusual area
of intellectual property: the moral rights of artists, which grant an artist a
proprietary interest in his own work, even after it has been sold, that
prevents others from altering or destroying the work.53 In France,
an artist may never contract away this right.54

B. Data Subjects’ Rights Create Burdens that
“Run with” the Data

The draft Regulation
establishes that the data subject’s proprietary interest in her own data—her
original entitlement to that information and right to reclaim it from the
control of others—creates a burden that runs with the data and binds third
parties. In other words, the data subject maintains a right to demand that her
data be erased, not only by the original data user with whom she dealt, but
also from the databases of any other entities that may have gained access to
the data. The draft Regulation states that any data user must “take all
reasonable steps . . . to inform third parties which are processing such data,
that a data subject requests them to erase any links to, or copy or replication
of that personal data.”55
These third-party data users would be bound to respect the data subject’s
exercise of her right to be forgotten or risk incurring sanctions under the
Regulation.

This requirement is one of the
most property-like features of the new regime in that it creates a burden that
“runs with” the data subject’s information. Rather than conceiving of privacy
protection as purely in personam, the draft Regulation instead grounds these
rights in the data itself. Like in Schwartz’s model, then, the data subject’s
interest is “built in” to the data,56
functioning like a kind of negative covenant.57 Any
data users that gain access to the data subject’s information, irrespective of
whether they are in privity with the data subject,
must still respect what Schwartz might call the “use-transferability”
restrictions58
built into the data that give the original data user the discretion to
terminate processing.

C. Data Subjects Can Seek Property-Rule-Based
Remedies

The remedy system established by the draft Regulation
also mirrors the scheme often used to protect property interests. As discussed
in Part I, an interest is protected by a “property rule” if it is protected
from an unwanted taking by another party, under the assumption that property
can only legitimately change hands based on the true consent of the original
owner.59 Courts and
legislatures often (though not always) protect such interests using remedies
designed to restore the true owner’s entitlement (injunctions)60 or to deter parties from violating
the entitlement to begin with (fines or punitive damages).61

The draft Regulation provides
several avenues for a data subject to enjoin a data user to erase her data, in
essence enforcing the data subject’s entitlement by “returning” the information
to her exclusive ownership. Individuals may “lodge a complaint” against data
users through their local “supervisory authority”—the regulatory bodies charged
with enforcing compliance with the Regulation62—which have the power “to order the
rectification, erasure or destruction” of data.63
Additionally, a data subject may bring a direct action against a data user in
local courts, which are also empowered to enforce the provisions of the
Regulation using injunctions.64Finally, a data user that “intentionally or negligently” fails to
respond to a data subject’s attempt to exercise her right to be forgotten may
be subject to extremely high fines: “500,000 [euro], or in case of an enterprise
up to 1% of its annual worldwide turnover.”65

Conclusion

Though the EU’s draft
Regulation is framed as stemming from the human right to privacy enshrined in
European public law,66 this
Comment has argued that it also, implicitly, treats personal data as a
commodity capable of changing hands. While the Regulation forbids free
marketization of data, it nonetheless uses property-derived rights and
remedies—similar to those identified by Paul Schwartz and other scholars—to
protect personal privacy in the course of data processing. By creating default
data subject entitlements to data, a quasi-licensing scheme for data users who
seek to use this data, use-transfer restrictions that “run with” the data, and
property-rule-based remedies, the draft Regulation would dramatically overhaul
the current system of primarily liability-oriented protections.

The fact that a regime might
utilize some property-derived rights and remedies in service of human-rights
goals may seem incongruous, considering that we often treat propertization
as anathema to human-rights interests.67 But the draft Regulation model
demonstrates that a regulated
property regime—in which some but not all of the property-rights “sticks” are
granted to consumers—might, in fact, be able to accommodate the same normative
impulse that drives some to conceive of data privacy as a fundamental human
right: the notion that uninhibited exchanges of personal data corrode human
dignity and personhood.68 The
draft Regulation is predicated on the assumption that we live in a world in which
personal data has been and will be treated like a commodity and simply banning
exchanges of personal data is not a viable option; instead, regulating these
exchanges and providing consumers with additional agency, using
property-derived rights and remedies,69
offers the best hope of protecting the dignitary, human-rights-driven privacy
interests at stake.70 This
reflects the assumption that “property is an artifact, a human creation that
can be, and has been, modified in accordance with human needs and values”71 that also underlies the propertized data model proposed by Schwartz.

In this respect, the European
Commission’s apparent willingness to implicitly use property-derived rights and
remedies in the service of data privacy protection demonstrates that, notwithstanding
claims that this approach has “passed its peak,”72 the
prospect of crafting a regulated property regime to protect data privacy still
has the potential to inform other data privacy law reform efforts in years to
come.

SeePurtova, supra note 14, at 2 (claiming that the “American debate on the propertisation of pers…

73

*I am incredibly grateful to Professor Claire Priest for advising the project from which this Comme…

1

Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, COM (2012) 11 final (Jan. 25, 2012), http://www.europarl.europa.eu/registre/docs _autres_institutions/commission_europeenne/com/2012/0011/COM_COM%282012%290011_EN.pdf [hereinafter Draft Data Protection Regulation]. The draft Regulation seems to be primarily designed to regulate data processing by private entities. While some agencies of EU member-states may also be bound by the Regulation, the majority would fall outside its purview. See id.art. 2(2) (listing, inter alia, “Union institutions, bodies, offices and agencies” and authorities devoted to the “prevention, investigation, detection or prosecution of criminal offences” as entities that are not bound by the Regulation).

2

Id. art. 17.

3

The draft Regulation distinguishes between data “controllers,” which own and maintain databases, and data “processors,” which process data on behalf of data controllers. Id. art. 4(5)-(6). Because most of the Regulation’s principles apply to both types of entities, I have adopted the neutral term “data user.”

4

The draft Regulation defines a data subject as

an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Id. art. 4(1).

5

Id. art. 17; see also id. art 6(a) (explaining the role of the data subject’s consent in determining the legality of processing).

6

Since January 2012, several European Union institutions have proposed amendments to the draft Regulation. For example, the Council of the European Union, a legislative body of ministers of EU member-states, proposed its own version in May 2013. A special committee is also examining various amended versions of the draft Regulation and preparing a text for consideration by the European Parliament. Once this version is approved, the European Parliament and Council of the European Union will enter into negotiations over the compromise version and likely vote on a final version in the next few months. Hunton & Williams LLP, Council of the European Union Releases Draft Compromise Text on the Proposed EU Data Protection Regulation, Privacy & Info. Security L. Blog (June 4, 2013), http://www.huntonprivacyblog.com/2013/06/articles/council-of-the-european-union-releases-draft-compromise-text-on-the-proposed-eu-data-protection-regulation. While some of the newly proposed versions of the draft Regulation significantly amend the original draft, the provisions of greatest significance to this Comment appear to be mostly unaffected. See, e.g., Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)—Key Issues of Chapters I-IV, Council Eur. Union (May 31, 2013), http://register.consilium.europa.eu/pdf/en/13 /st10/st10227-ad01.en13.pdf (the Council of the European Union’s amended version). Because the final version of the Regulation remains in flux, this Comment focuses only on the text of the original 2012 European Commission draft. See Draft Data Protection Regulation, supra note 1. However, it is important to note that the final version of the Regulation may temper some of the 2012 draft’s more controversial proposals.

7

Draft Data Protection Regulation, supra note 1, art. 3(2).

8

See, e.g., Jeffrey Rosen, The Right to Be Forgotten, 64 Stan. L. Rev. Online 88 (2012) (arguing that the “right to be forgotten,” as conceived of in the draft Regulation, may restrict speech protected by the First Amendment).

9

SeeRemarks by U.S. Ambassador to the EU, William E. Kennard, at Forum Europe’s 3rd Annual European Data Protection and Privacy Conference, U.S. Mission to Eur. Union (Dec. 4, 2012), http://useu.usmission.gov/kennard_120412.html (arguing that the draft Regulation could hinder law enforcement cooperation).

10

See Peter Druschel et al., The Right to Be Forgotten–Between Expectations and Practice, Eur. Network & Info. Security Agency (Nov. 20, 2012), http://www.enisa.europa.eu /activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download /fullReport (highlighting challenges to implementing the draft Regulation under the existing technical structure of the Internet).

11

See Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 Harv. L. Rev. 1966, 1968-2001 (2013) (outlining the development of the EU-U.S. status quo on data privacy policy). Schwartz argues that “[t]he Proposed Regulation carries a potential for destabilization of the current status quo.” Id. at 1994.

Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. Davis L. Rev. 379, 403-04 (2003) (describing how U.S. law does not grant individuals property rights in their personal information); see alsoNadezhda Purtova, Property Rights in Personal Data: A European Perspective 153-220 (2012) (surveying European data protection law and contrasting it with a hypothetical property-based regime).

15

Under the famous framework developed by Guido Calabresi and Douglas Melamed, an entitlement is protected by a “liability rule” when a defendant may violate it in exchange for paying damages. Guido Calabresi & A. Douglas Melamed, Property Rules, Liability Rules, and Inalienability: One View of the Cathedral, 85 Harv. L. Rev. 1089, 1092 (1972). For a discussion of the differences between property rules and liability rules in the context of data protection, see infra notes 37-38 and accompanying text.

16

In practice, courts have generally been unwilling to award damages to consumers for breach of contract when a corporation has violated its data privacy policy. See, e.g., In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 326-27 (E.D.N.Y. 2005) (holding, inter alia, that plaintiffs in a class action against JetBlue for breach of its privacy policy were ineligible to recover damages because “the only damage that can be read into the present complaint is a loss of privacy,” which is “not a damage available in a breach of contract action”). Courts have similarly been unwilling to apply the “privacy torts,” Restatement (Second) of Torts §§ 652B-652E (1977), to violations of privacy in data collection and processing. For a survey of such cases, see Purtova, supra note 14, at 99-106.

See Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 (mandating that corporations provide certain protections to data subjects during data collection and processing). Data subjects may seek damages from corporations that violate the Directive. Id. art. 22, 23(1).

19

See Jessica Litman, Information Privacy/Information Property, 52 Stan. L. Rev. 1283, 1284 (2000) (“Non-cash purchases are memorialized and toted up. Large cash purchases are memorialized and turned in. Cash withdrawals and deposits are recorded and saved. Visits to the doctor, diagnoses, prescriptions, and referrals are coded and passed along. Everything we look at on the Internet is noted and retained. All of this information is collected, aggregated, and stored on computers. Anyone with reason to do so can correlate the information stored on one computer with the information stored on another, and another, and another. The resulting dossier may be used, sold, published, or correlated with other sources of data. In the United States, that’s completely legal.” (footnotes omitted)); Schwartz, supra note 13, at 2069-72 (describing how personal information is “commodified and traded” in various contexts).

20

See, e.g., In re Nw. Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459, at *4 (D. Minn. June 6, 2004) (stating that when passengers voluntarily gave Northwest Airlines their personal information and Northwest Airlines compiled that information into a data record, the record “itself became Northwest’s property”); U.S. News & World Report, Inc. v. Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996) (holding that the sale of a magazine mailing list did not constitute conversion because the plaintiff did not maintain a proprietary interest in his name, whereas U.S. News & World Report did maintain a proprietary interest in its collection of names).

21

SeeLawrence Lessig, Code and Other Laws of Cyberspace 122-35, 159-63 (1999); Lawrence Lessig, TheArchitecture of Privacy, 1 Vand. J.Ent. L. & Prac. 56, 63-64 (1999) (“If the law gave individuals the rights to control their data, or more precisely, if those who wanted to use that data had first to secure the right to use it, then a negotiation would occur over whether, and how much, data should be used. The market could negotiate these rights, if a market in these rights could be constructed.”); Lawrence Lessig, Privacy as Property, 69 Soc. Res. 247, 261 (2002).

22

See Neil Weinstock Netanel, Cyberspace Self-Governance: A Skeptical View from Liberal Democratic Theory, 88 Calif. L. Rev. 395, 476 (2000) (“[M]ost users are not even aware that the websites they visit collect user information, and even if they are cognizant of that possibility, they have little conception of how personal data might be processed.”).

Hansmann & Kraakman, supra note 26, at S378 (“[T]he attribute that distinguishes a property right from a contract right is that a property right is enforceable, not just against the original grantor of the right, but also against other persons to whom possession of the asset, or other rights in the asset, are subsequently transferred.”). Similar, though not identical, to this idea is the notion that “[p]roperty rights . . . are in rem—they bind ‘the rest of the world.’” Thomas W. Merrill & Henry E. Smith, TheProperty/Contract Interface, 101 Colum. L. Rev. 773, 777 (2001).

28

Schwartz, supra note 13, at 2098.

29

Id. at 2094, 2097.

30

Id. at 2093; see also Bergelson, supra note 14, at 444-45 (arguing that, under a hypothetical data property regime, some rights to personal data could be declared inalienable even while others are freely marketable); Janger, supra note 17, at 903 (recognizing that a “mandatory crystalline inalienability rule” could be included in a property regime). See generallyHansmann & Kraakman, supra note 26, at S411-12 (providing a general critique of the notion that property rights are synonymous with alienability); Thomas W. Merrill, The Property Strategy, 160 U. Pa. L. Rev. 2061, 2079 (2012) (arguing that alienation is not “essential to the property strategy”).

31

Schwartz, supra note 13, at 2094 (explaining that under Schwartz’s proposed “hybrid alienability” model, consumers would be able to “share, as well as to place limitations on, the future use of their personal information”).

32

Schwartz in fact outlines five features in a hypothetical data property regime: “inalienabilities, defaults, a right of exit, damages, and institutions,” Schwartz, supra note 13, at 2094, but also recognizes that “[a] key element of this model is the employment of use-transferability restrictions in conjunction with an opt-in default,” id. (emphasis omitted), which are the two features most tied to the unique nature of property-based protection. For that reason, I focus mainly on these property-based protections, rather than on the other features of the proposed regime.

33

Id. at 2060, 2100-06.

34

Id. at 2106-07.

35

For a comparison with licenses, see Bergelson, supra note 14, at 446. A license is defined as a property owner’s “temporary and revocable” waiver of his right to exclude. Thomas W. Merrill & Henry E. Smith, Property: Principles and Policies 449 (2d ed. 2012).

36

Schwartz, supra note 13, at 2095-2100.

37

SeeMerrill & Smith, supra note 35, at 962.

38

Janger, supra note 17, at 914; see alsoBergelson, supra note 14, at 417 (“On a more abstract level, the choice between the tort regime and the property regime for the protection of personal information means the choice between property rules and liability rules as defined in the seminal article authored by Calabresi and Melamed.”). It is interesting to note that Schwartz self-consciously chooses to use compensatory damages as the main remedy in his model, in lieu of property-rule-based protections. Schwartz, supra note 13, at 2109 (“A state determination of damages through privacy legislation is preferable to the Calabresi-Melamed approach of enforcing the subjective valuations of private parties with injunctions.”). However, in keeping with this Comment’s goal of exploring the unique features that a property regime can bring to data protection, I choose to focus on Janger’s and Bergelson’s use of property-rule-based protections.

39

The new legislation is a “Regulation,” meaning it would be binding on all EU member-states as law and enforceable in any member-state court. In contrast, the EU’s current data protection Directive, supra note 18, must be implemented by member-states through domestic legislation. Jane Finlayson-Brown, How to Prepare for Proposed EU Data Protection Regulation, Computer Wkly., Mar. 2012, http://www.computerweekly.com/opinion /Proposed-EU-Data-Protection-Regulation-what-should-companies-be-thinking-about.

Seesupra notes 34-35 and accompanying text. The data could be said to be partially protected by what Calabresi and Melamed call an “inalienability rule.” Calabresi & Melamed, supra note 15, at 1092-93 (“An entitlement is inalienable to the extent that its transfer is not permitted between a willing buyer and a willing seller. The state intervenes not only to determine who is initially entitled and to determine the compensation that must be paid if the entitlement is taken or destroyed, but also to forbid its sale under some or all circumstances.”).

The comparison with moral rights is also instructive here: to the extent an artist maintains a right that future purchasers not destroy or alter her work and “the artist can . . . enforce that right against subsequent third-party transferees of the painting,” she maintains “a property right in the painting.”Hansmann & Kraakman, supra note 26, at S379. We might understand the burden placed on future holders of the artwork as “a type of negative covenant held in gross (that is, personally) . . . that would let the artist prevent any subsequent owner of a work of art from altering it.”Id. at S377. So too here, a data subject’s right to demand erasure by any third parties that gain access to her personal information, irrespective of whether that party is in privity with the data subject, creates a kind of negative covenant on the data that binds third parties.

58

Schwartz, supra note 13, at 2098.

59

Seesupra notes 37-38 and accompanying text. Janger defines a property rule by distinguishing it from a liability rule:

Where an entitlement is protected by a liability rule, the defendant may choose to violate the right and pay damages. In other words, a non-consensual taking may precede negotiation over price. Propertization changes the order of this interaction. Either through criminal sanction, affirmative judicial order, or prohibitively high (and/or punitive) fines, a property rule makes a non-consensual taking infeasible.

Janger, supra note 17, at 914.

60

See, e.g., eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 395 (2006) (Roberts, C.J., concurring) (“From at least the early 19th century, courts have granted injunctive relief upon a finding of infringement in the vast majority of patent cases. This ‘long tradition of equity practice’ is not surprising, given the difficulty of protecting a right to exclude through monetary remedies that allow an infringer to use an invention against the patentee’s wishes . . . .”).

61

For example, in a now-famous case, the Wisconsin Supreme Court affirmed an award of $100,000 in punitive damages to a victim of trespass, even though the actual damages were minimal, because “the individual and society have significant interests in deterring intentional trespass to land, regardless of the lack of measurable harm that results.” Jacque v. Steenberg Homes, Inc., 563 N.W.2d 154, 159 (Wis. 1997).

62

Draft Data Protection Regulation, supra note 1, arts. 46, 73(1).

63

Id. art. 53(1)(f).

64

Id. arts. 75(1), 76(5).

65

Id. art. 79(5).

66

See supra notes 42-43.

67

See Margaret Jane Radin, Incomplete Commodification in the Computerized World, inThe Commodification of Information 3, 17 (Niva Elkin-Koren & Neil Weinstock Netanel eds., 2002) (“It makes a big difference whether privacy is thought of as a human right, attaching to persons by virtue of their personhood, or as a property right, something that can be owned and controlled by persons. . . . Human rights are presumptively market-inalienable, whereas property rights are presumptively market-alienable.”).

68

See id.; Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get), 2001 Stan. Tech. L. Rev. 1, ¶ 93 (arguing that a “market-based model [of the right to privacy], which seeks to facilitate the transfer of control over privacy interests, is clearly at odds with th[e] tradition” of treating privacy as a personhood interest).

69

Notably, Radin’s skepticism of protecting privacy using a property regime is grounded in the assumption that under a propertized personal data regime “online commerce will be governed more and more by contracts between providers and users, and less by a priori (default) entitlement structures.” Radin, supra note 67, at 18 (footnote omitted). In contrast, default entitlement structures (and curtailed free marketability) are essential to the regime presented in the draft Regulation, which explains its greater compatibility with a human-rights approach.

70

Cf.Hansmann & Kraakman, supra note 26, at S386 (noting that while Europeans often think of the artist’s moral right of integrity as a “right[] of personality,” not a property right, it can nonetheless be conceived of as a human right that is protected through property-based rights and remedies).

SeePurtova, supra note 14, at 2 (claiming that the “American debate on the propertisation of personal data has since passed its peak”).

73

*I am incredibly grateful to Professor Claire Priest for advising the project from which this Comment stems. I would also like to thank Professor Amy Kapczynski for her helpful comments on an earlier draft, Professor Oona Hathaway for introducing me to the draft Regulation, and Alex Metz and the editors of theYale Law Journal for their excellent suggestions and careful editing.